Yet Another Virtumundo Problem - Take Two

Hello all,
I'm fairly new to this and am trying to get rid of my Virtumundo problem as well. I followed most of the "DO NOT POST UNTIL YOU HAVE READ THIS" post regarding disabling System Restore, scans (online Trend Micro, online Symantec, AVERT Stinger, CCleaner, Spybot, Spyware Blaster, CWShredder, Kill2me, about: Buster, HSRemove).

I found viruses (Trojan, etc.) thru online Trend Micro and Symantec, got rid of them (unfortunately, I do not believe I posted logs of those so I do not have a record of them... I can redo those again if requested). However, I've used Ad-Aware SE (already has the VX2 cleaner plug-in installed) and have continued to find those 4 Virtumundo (Malware) 'files' or notices despite removing them. I've ran a HijackThis scan and have noticed a "copda.dat" file in my Local Settings/Temp directory and "apdoc.exe" file in my Windows/Font (!) directory. I've tried deleting the apdoc.exe (manually & through Task Manager) and copda.dat files but they are unable to be deleted or have popped up again.

I would appreciate any help from here because I am unsure as to what specifically do after having found it. I wasn't sure whether I should post my HijackThis log; thus, if I get a green light, I'll post it.

Thanks for your time.

 

ArchangelG,


Please go ahead and send us a HijackThis Log. Make sure to follow the instructions below:

Note that your HijackThis should be up-to-date (v1.98.2) and MUST be extracted to its own safe folder - C:\Program Files\HijackThis!

If you need a Fresh Download of HJT, get it HERE: HijackThis 1.98.2

Also note that, before you scan, you MUST close all running programs including your web browser, e-mail and items in the system tray.

Please save your HJT Log as a .txt file and attach it via the "Manage Attachments" tool in the Additional Options section when you post.

Send us a log and we'll go from there I'll try to check back when I get a chance.

Best,
PP

 

PhilliePhan,

I've attached my log. I've also noticed a jvoln.exe in there as well as within my Task Manager. Do you think that may be something? I'm not too well aware of this...

Anyhow, thanks so much for your assistance!

AAG

 

Hi ArchangelG,

Sorry I forgot to post this earlier. Got tied up. Anyhoo, here it is.

This is my generic fix for Stopguard/Virtumundo-related malware infections. I have had a lot of success with it, but there have been some failures as well. Please note that this particular Malware mutates on reboot, so if you have rebooted subsequent to attaching your HJT Log, the file names may have changed.

ALSO NOTE that the tough part is nailing that pesky running process that always springs back to life. To do this, I use the Delete a File on Reboot option in HijackThis. If you do this successfully, that process will be Deleted before it ever gets a chance to run! This should work every time. Please make sure to enter the correct path for the file to be deleted. If, for some reason, you are not able to delete the file in question, please try again before posting back.

ANYHOO:
Please print out these instructions so that you can operate with All Browser Windows CLOSED. Please follow the instructions very carefully - Do them in the exact order given.

Please make sure System Restore is OFF and the Viewing of Hidden Files is Enabled as per the tutorial.

Now, look in Task Manager (Ctrl-Alt-Del) for the following running process and END it, if possible:
jvoln.exe

NEXT:
Look in C: > WINDOWS > PREFETCH & Delete apdoc.exe ( or any apdoc or codpa entries) if found. If it is easier, you can go ahead and delete all of the files in the Prefetch Folder – It’s a good idea to do this every couple of months anyway. ( Do Not Delete The Prefetch Folder Itself )

ALSO: take a look inside the C:\WINDOWS\Fonts Folder for any backups ( apdoc.bak or codpa.bak, etc. . . ) – Note that they will probably be Hidden Files – Delete the ones that allow you to do so.

NOW:
Run HijackThis and Check the Boxes for the Following:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://hsremove.com/done.htm

O2 - BHO: CATLEvents Object - {02F96FB7-8AF6-439B-B7BA-2F952F9E4800} - C:\DOCUME~1\GABRIE~1\LOCALS~1\Temp\codpa.dat

O4 - HKLM\..\Run: [*apdoc] C:\WINDOWS\Fonts\apdoc.exe

O4 - HKLM\..\RunOnce: [*apdoc] C:\WINDOWS\Fonts\apdoc.exe rerun

O4 - HKCU\..\Run: [JavaUpdate0.07] C:\WINDOWS\System32\jvoln.exe ----> Trojan


Click FIX and then, while still in HijackThis, look in the lower right-hand box where it says “Other stuff,” and select CONFIG > MISC TOOLS > select DELETE A FILE ON REBOOT and where it says File Name, Enter (or navigate to the file in the HijackThis pane) C:\WINDOWS\Fonts\apdoc.exe and click OPEN. A message will ask you if you want to reboot now. Click YES and reboot into SAFE MODE by tapping F8.

You may receive an error message after rebooting into Safe Mode that says Windows could not find the file you told it to delete. Just click OKAY and DO NOT REBOOT AGAIN.

While in Safe Mode (making sure that you are able to view hidden files) Navigate to and DELETE the following if it remains:

C:\WINDOWS\System32\jvoln.exe

THEN:
Use Windows Explorer to run a search of your computer for:
bkinst
apdoc
codpa

and DELETE the related files. (We especially want to get rid of apdoc.ini & apdoc.dat & apdoc.bak AND codpa.ini & codpa.dat & codpa.bak + any other related crap.) It is important that you be thorough with this search. These files seem to like to hide all over your computer and have a nasty habit of resurrecting themselves if you do not get them ALL.

NEXT:
Run CCleaner and Spybot S&D and have Spybot fix what it finds.

Then, as an added precaution, Go to Start > Run and type: cleanmgr. Make sure the boxes for these are checked:
Temporary Files
Temporary Internet Files
Recycle Bin

And Click OK.

Reboot to Normal Windows and Attach a fresh HJT log. How are things running? Let me know of any problems that you may have encountered with the above instructions.

Also: I recommend that you uninstall Weatherbug.

Best luck
PP

 

Hey PhilliePhan,

I did all that you said to do. (Well, except for Weatherbug, since I generally trust it. I have known others who have used it as well. I hope that does not sound naive unto itself. At this time, I have read PC Hell's page regarding Weatherbug and will look into the matter further. If you do have particular feelings or thoughts about Weatherbug, please let me know!)

Though it initially seemed fine, I did find some more jvoln files (.dat and .rar) in my Windows/System 32 directory. I deleted them and restarted and have yet to find any more jvoln files on the computer. I also ran SpyBot and got rid of some DSO exploits but have read that it may be a continuing problem until I have all Window updates and the latest IE version - this may be an issue since I have yet to install in XP SP2.

Otherwise, it seems fine. Haven't found copda or apdoc files at all, either in the Windows/Fonts directory nor the Local Settings/Temp directory. I believe things look good! I posted my HJT log just in case -- I didn't find those entries that were there before.

Thank you very much PhilliePhan - you truly are a guardian angel here! Your time and efforts have helped me and evidently, a good number of people on here too!

Take care,
G

 

Hi AAG,

You are welcome! I am happy to help . . . . Though, I am a bit tired of the Virtumundo!! I hope the Anti-Spyware tools catch up to it soon.

Ultimately, Weatherbug is your choice

You can get a fix for the DSO Exploit here: Spybot - Search and Destroy DSO Exploit Fix

Your log looks good. Here is my canned speech ---> You should also take a look at Chaslang's recommendations HERE:How to protect yourself from malware!

I definitely recommend that you use the following tools:
Ad-Aware SE Personal

SpyBot-Search & Destroy - Remember to use the "Immunize" feature

SpywareBlaster

These are all FREE! Just remember to Internet Update them regurlarly! They, along with a good Anti-Virus and Firewall & keeping your Windows up-to-date will do wonders in helping to keep Malware off your computer!

Best
PP